Joe Rominiecki is a contributing editor to Associations Now.
Recent high-profile cases of embezzlement at nonprofits remind us that fraud is a constant risk. Hear from several association executives who have seen embezzlement firsthand and learn what you can do to avoid a similar fate.
When the three senior executives stepped into the office of Association of American Medical Colleges CEO Darrell Kirch, M.D., one day in July 2013, he knew right away there was a problem.
"The three of them asked to see me on a Friday afternoon late, which usually conveys a sense of urgency," Kirch says. He was right. The group had discovered a longtime, trusted AAMC employee had been embezzling money from the association, what eventually proved to be north of $5 million taken over more than a decade. "My reaction mirrored what I saw on their faces when they walked in. They looked shocked, very disappointed, saddened, and that's exactly how I felt when they told me," Kirch says.
It's a feeling no association executive wants to know, but many do. A Washington Post analysis revealed in late 2013 that more than 1,000 nonprofit organizations in the United States had reported to the IRS a "significant diversion of funds" since 2008, when the IRS Form 990 first included a question about such losses.
For AAMC, swift action mitigated the potential fallout. "It was very emotional, but also the next steps were very clear cut," Kirch says. He notified AAMC's board of directors the following Monday, and the investigation began apace. By November, the (now former) employee had pleaded guilty in federal court.
The typical reaction to news of embezzlement is, "How could this happen?" AAMC's case and others are a reminder that fraud is a persistent risk that doesn't discriminate by size or mission. Their stories show that the conditions that give rise to fraud follow common themes, and the actions that can prevent it rest on both policies and people.
Like a lot of crime, embezzlement typically starts small and grows over time, which is why it can be hard to catch. With a 600-person staff and its own three-person internal audit team, complexity left AAMC exposed in ways it hadn't fully understood. "I think it's fair to say we had good controls in place, but they were inconsistent in their application," says Bernard Jarvis, chief financial officer at AAMC.
Consistency comes from both thorough staff training and a commitment to accountability throughout the organization. When either is lacking, a motivated thief can seize the opportunity for fraud. Trust, meanwhile, is a double-edged sword. It creates a positive, efficient work environment, but it can lead to complacency. It's no coincidence embezzlers are often described as "trusted insiders."
"People who work with each other … tend to get to a point where they're familiar with each other and tend to like each other, and there's a temptation to avoid confrontation and to assume the best motives of the other person," says Michael Wyland, CSL, a consultant to associations and nonprofits at Sumption & Wyland.
|Audits: Not What You Might Think|
After a Washington Post investigation uncovered more than 1,000 cases of "diversions of funds" at nonprofits, reporter Joe Stephens noted during a panel discussion that "many of these organizations got clean audits year after year."
Michael Wyland, CSL, a consultant at Sumption & Wyland, says many association executives and boards have a false sense of security about their annual financial audits. "If you talk to most accountants, they will tell you that a financial audit is not designed to discover fraud," he says. "An audit is a test of the accounting procedures used in an organization, and it samples transactions and tests whether those transactions are in compliance with generally accepted accounting principles."
Because a routine audit tests a sample of transactions, when it does uncover fraud, it's "almost by accident," Wyland says. A "forensic audit," on the other hand, will dig up the details of an embezzlement scheme, but it's far from routine. Costing perhaps 10 times as much as a standard audit, a forensic audit is typically called for only after indications of fraud have arisen.
Experts recommend a few options to better monitor for embezzlement:
Michele Packard-Milam, CAE, executive director at the Emergency Medicine Residents' Association, calls this "Too Darn Nice Syndrome." At a small nonprofit where she served as a board member, she says "too darn nice" allowed the sole staff member to pilfer about $100,000. Even as red flags appeared, some directors assumed others were monitoring for problems, and fear of conflict left important questions unasked.
"It just really speaks to the power of the political culture of a board when something can be that wrong and nobody's willing to say it out loud," she says, adding that TDNS affects boards most acutely when there's a lack of understanding of fiduciary duty.
It may be impossible to reduce fraud risk to zero, but it can be greatly minimized with a combination of solid financial controls and a supportive culture.
A few key measures serve as the foundation for fraud prevention:
Since the embezzlement case, AAMC has focused on standardizing processes, says Jarvis. It has also added monthly mandatory departmental budget reviews, a stronger vendor-authentication process, fraud-prevention training for staff, new electronic financial-management workflows, and an upgraded third-party compliance reporting hotline.
Regardless of the organization's size, an association executive must strike a balance between trust and control. "Establishing a culture of stewardship and accountability is very important for the top executive," Kirch says. "And one of the things this has actually helped us to do is reinforce the notion that we do have accountability to one another to use our resources very wisely."
That culture must envelop the board, as well. Board members should be trained on fiduciary duty, and directors with financial expertise should be recruited. Says Wyland: "It's entirely appropriate for a board member to act a bit like a third-grade math teacher and say, 'Show your work.'"
Association executives who have experienced fraud recommend a clear course of action for recovery: Start an investigation; notify the board, members, and the public at the appropriate times; file an insurance claim; and fix what went wrong.
At AAMC, Frank Trinity, chief legal officer, credits a quick response for its success in reaching a conviction and offering the best chance to recover losses. The investigation began by notifying outside counsel and law enforcement and securing electronic and physical documents of both the employee in question and anyone who might have been involved. The employee was terminated, and about 20 staff members were interviewed. A forensic accounting firm analyzed records dating back to 2001, and the FBI conducted its own interviews. A guilty plea agreement was reached within about four months. Throughout the investigation, the AAMC board was regularly apprised of its progress, and the association's outside counsel reported findings about the incident and the gaps discovered to the AAMC board shortly after. AAMC's fraud insurance policy has covered a portion of its losses, while a lawsuit against the former employee and her husband is pending.
From the outset, AAMC planned messaging and shared what information it could with members and employees as the investigation progressed. "Our core strategy was to be proactive in communicating," says Elisa Siegel, chief communications and marketing officer. "We wanted to say to people, 'We acknowledge there are gaps, and here is what we are doing to improve.'"
Transparency and a swift investigation can help avert the spread of rumors and negative press. John Durst, president and CEO of the South Carolina Restaurant and Lodging Association, took his position at the same time that SCRLA rebranded from its previous name, 10 months after the theft of nearly $500,000 by a former employee. "It just became a protracted news story, and that makes the recovery more difficult," he says.
Winning back trust was a steep climb for SCRLA. "People were looking at this association—members and stakeholders and other folks in the tourism industry—with a lot of questions," Durst says. "And we endeavored to answer those in a manner which indicated that we were going to come out of this as a very strong association." In his first 14 months on the job, Durst says he "averaged 1,000 miles a month" visiting as many members as he could in person.
While reflex might be to avoid public scrutiny after embezzlement, Packard-Milam suggests it's better to "take your lumps" right away. With the IRS Form 990 entered into public record, the alternative, after all, could be explaining later why it was swept under the rug. "Like they said at Watergate," Durst says, "whatever will come out eventually should come out immediately."
Kirch says AAMC is now strengthening its processes to enhance accountability and is working to help other associations learn how to avoid fraud, too. Diligence about financial processes must be matched with a culture that recognizes internal controls as "everyone's responsibility."
"Establishing the culture where you still trust people is important, but you can't view that as a substitute for internal controls," Kirch says. "You use your internal controls to affirm the values of accountability and stewardship."
Joe Rominiecki is senior editor at Associations Now. Email: [email protected]
Find these articles and more at www.asaecenter.org.
[This article was originally published in the Associations Now print edition, titled "It Could Happen to You."]